In this tutorial we show how to setup an ssh connection in order to access computers and services behind a firewall.
The topology of the network is as depicted below:
We have a computer (with IP 192.168.1.2) connected to a router, which in turn is connected to the internet. What we want to do is to have access to the desktop (with IP 184.108.40.206) and all the other servers (web, samba and mail). The problem with this network is that the firewall allows only ssh connections over port 22 to the ssh server (with IP 220.127.116.11). Therefore, in order to reach any of the other computers behind the firewall, we need to go through the ssh server.
What I will show here is how to setup an ssh tunnelling connection that allows to connect to these machines.
This tutorial is based on the tutorial by Mike Chirico that can be found here.
We want to be able to ssh to the desktop machine (with IP 18.104.22.168), connect to the web server (with IP 22.214.171.124), access the samba server (with IP 126.96.36.199) and use the mail server (with IP 188.8.131.52). In order to do that we need to tunnel through the ssh server (the only machine we can access directly).
To tunnel traffic through the SSH Server from the *nix laptop to the different machines behind the firewall, create the following
~/.ssh/config file, on the *nix laptop:
Host mytunnel Hostname 184.108.40.206 ForwardX11 yes User your_username_at_220.127.116.11 LocalForward 22022 18.104.22.168:22 LocalForward 22139 22.214.171.124:139 LocalForward 22080 126.96.36.199:80 LocalForward 22110 188.8.131.52:110 Host mytunnel_ssh HostName localhost ForwardX11 yes User your_username_at_184.108.40.206 Port 22022 HostKeyAlias athens
We have just configured two ssh connections:
mytunnel_ssh. The first one is the essential one and the second one is just to simplify the ssh connection to the desktop.
The first thing done there is to specify the ip of the ssh server (Hostname) and the username (User) to use to connect to it. After that, there are four lines starting with LocalForward. What each of these lines does is to redirect any data sent to a port in the laptop to another port in another computer. For example the first line:
LocalForward 22022 220.127.116.11:22
states that all data sent to port 22022 of the laptop will be sent (over the ssh connection to the ssh server) to port 22 of the machine with IP 18.104.22.168. This means that whenever the ssh connection
mytunnel is open, sending data to port 22022 on the laptop is “the same” as sending data to port 22 of the machine with IP 22.214.171.124. The same for the samba, web and mail servers, but on ports 22139, 22080 and 22110, respectively.
To open this tunnelling connection we simply need to insert in the terminal the following line:
To make an ssh connection to the desktop with IP 126.96.36.199 there are two options. The longest one is to open the previous tunnelling connection:
and then in a new terminal window open the ssh connection to the desktop:
A simpler and shorter way is to add the following line to your
alias desktop_ssh='ssh -N -f -q mytunnel;ssh mytunnel_ssh'
Now to connect to the desktop you just need to type in our terminal: